July 10, 2026
GitHub API Abuse via Ghost Accounts and Token Compromise
Intro

By SOCFortress
3 min read
Intro
By aggregating thousands of seemingly unremarkable API requests, a coordinated network of actors is systematically mapping corporate organizations. These threats do not kick down the door; they walk through the public entrance with a valid ticket, blending perfectly into the background noise of legitimate traffic. This is the era of the "unremarkable" breach, where reconnaissance is conducted with such surgical patience that it becomes nearly invisible.
The "Ghost" Accounts
The most striking revelation of this research is the deployment of "ghost" accounts — profiles that exhibit a level of adversarial patience rarely seen in opportunistic scraping. These accounts were created two to five years ago and left dormant, only to be weaponized as part of a campaign monitored since October 2025.
This strategy is a calculated counter-intuitive play. In an industry obsessed with velocity, these attackers prioritize long-term legitimacy over the speed of execution. An account with a half-decade of history bypasses the automated heuristics that typically flag high-velocity burner accounts created on the fly.
Datadog identified over 50 of these dormant profiles, often following recognizable naming conventions such as the amazon-data-* prefix, the *-orb family (including kuku-orb and lolo-orb), or handles like BirdWithPlan and BirdWithDreams.
"An account with a multi-year history reads as more legitimate than one registered the same week it starts scraping."
These accounts emerge for intense, high-fidelity bursts of activity lasting between one and three weeks before retreating back into the shadows, leaving the target organization fully mapped and vulnerable to the next phase of the attack.
The "Public by Design" Blind Spot
The attackers' methodology relies on the fact that a significant portion of GitHub's API surface is reachable without any authentication at all. Because these routes are public by design, every request generates a clean HTTP 200 "OK" response. No alarms are tripped because, technically, no rules are broken.
By programmatically walking through an organization's social graph, an actor can build a comprehensive dossier on its engineering team. They leverage GraphQL as a high-precision scalpel, utilizing its ability to execute bulk queries across organizations and repositories to reduce their footprint per query. Through this, they identify which projects a developer touches, who they follow, and the underlying structure of the private environment they are preparing to infiltrate.
Commonly targeted public routes used to construct this private map include:
/graphql(The primary focus for bulk queries)/organizations/:organization_id/repos/user/:user_id/followers/user/:user_id/following/user/:user_id/gists/user/:user_id/starred/user/:user_id/orgs
The User Agents
To evade pattern-matching detections, these actors utilize "vibe-coded" user agents — custom strings designed to mimic the nomenclature of legitimate internal dashboards and analytics integrations. While some tools use candid names like GitHub-Company-Scraper, others are crafted specifically to disappear into the telemetry of a standard DevOps stack.
One notable anomaly is the use of the bare user agent request. In a landscape of versioned libraries and specific toolsets, this lack of detail actually serves as a signature for a trained threat hunter, standing out precisely because it tries too hard to be generic.
The following deceptive user agents were frequently observed in these campaigns:
GitHubAnalytics/1.5GitHubReporter/2.0GitHub-Insights/3.2GitHubDashboard/1.8GitHubVisualizer/2.7RepoAnalyzer/1.7
When Reconnaissance Turns to Exfiltration
We must view this quiet mapping not as an end, but as a precursor to kinetic action. The transition from reconnaissance to data theft is often abrupt. Once the attacker has the map, they strike the private corridors of an organization with terrifying precision.
This escalation was documented in instances where scanning behavior evolved into confirmed data access. Specifically, a user agent identified as repo-dumper succeeded where earlier, less sophisticated attempts had failed. By leveraging the intelligence gathered during the mapping phase, repo-dumper was able to clone private repositories through a mix of git.clone and api.request events. This demonstrates that the window between "unauthenticated browsing" and "private data exfiltration" is often much smaller than defenders realize.
The Challenge of "Identity Dark Matter"
Beyond the use of aged accounts, attackers are weaponizing "Identity Dark Matter" — the vast reservoir of compromised OAuth and Personal Access Tokens (PATs) harvested from leaked environments or developer endpoint compromises.
Between late December 2025 and early January 2026, Datadog tracked a campaign that utilized a versioned progression of tools, including GitHub-Commit-Fetcher/1.3 and /1.4. The sophistication here was not just in the tools, but in the temporal density of the attack. Dozens of distinct, legitimate GitHub accounts were used to probe private paths within a window of only a few minutes.
This high-velocity "smash and grab" was facilitated by infrastructure hosted on 3xK Tech, a provider notorious for abuse reports. By rotating through a fleet of compromised but legitimate identities, the attacker makes traditional rate-limiting and identity-based anomaly detection nearly obsolete. The requests don't look like an external attack; they look like a sudden, simultaneous surge of activity from your own trusted employees.
Knowing Your Normal
The greatest defense against this brand of API abuse is a meticulous baseline of your own environment. Because the individual requests are successful and target public data, they will never be found by looking at "failed" events. They can only be unmasked through aggregate analysis and proactive hunting.
Organizations must move beyond passive monitoring. This requires enabling GitHub audit log streaming and rigorously baselining user agents and source ASNs. If you see GitHubAnalytics/1.5 in your logs, you need to know—with certainty—if that is a tool your team actually uses or a ghost in your machine.
How much visibility does your organization truly have into "successful" but anomalous API traffic?